News and Events in the Information Security world. Check in frequently for news, comments, opinions and guidance for InfoSec issues.
Created by Karn Griffen, Chief Technologist for Compushare, Inc. The nations leading Security, Risk, and Compliance consulting firm specializing in Financial Institutions.

Thursday, May 12, 2011

1) National Data Breach Reporting. State laws have helped consumers protect themselves against identity theft while also incentivizing businesses to have better cybersecurity, thus helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers' personal information. The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.

2) Penalties for Computer Criminals. The laws regarding penalties for computer crime are not fully synchronized with those for other types of crime. For example, a key tool for fighting organized crime is the Racketeering Influenced and Corrupt Organizations Act (RICO). Yet RICO does not apply to cyber crimes, despite the fact that cyber crime has become a big business for organized crime. The Administration proposal thus clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.

Protecting our Nation's Critical Infrastructure

Our safety and way of life depend upon our critical infrastructure as well as the strength of our economy. The Administration is already working to protect critical infrastructure from cyber threats, but we believe that the following legislative changes are necessary to fully protect this infrastructure:

1) Voluntary Government Assistance to Industry, States, and Local Government. Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses. For example, organizations sometimes ask DHS to help review their computer logs to see when a hacker broke in. However the lack of a clear statutory framework describing DHS's authorities has sometimes slowed the ability of DHS to help the requesting organization. The Administration proposal will enable DHS to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

2) Voluntary Information Sharing with Industry, States, and Local Government. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities' concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

3) Critical Infrastructure Cybersecurity Plans. The Nation's critical infrastructure, such as the electricity grid and financial sector, is vital to supporting the basics of life in America. Market forces are pushing infrastructure operators to put their infrastructure online, which enables them to remotely manage the infrastructure and increases their efficiency. However, when our infrastructure is online, it is also vulnerable to cyber attacks that could cripple essential services. Our proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Protecting Federal Government Computers and Networks.

Over the past five years, the Federal Government has greatly increased the effort and resources we devote to securing our computer systems. While we have made major improvements,[1] updated legislation is necessary to reach the Administration goals for Federal cybersecurity, so the Administration's legislative proposal includes:

1) Management. The Administration proposal would update the Federal Information Security Management Act (FISMA) and formalize DHS' current role in managing cybersecurity for the Federal Government's civilian computers and networks, in order to provide departments and agencies with a shared source of expertise.

2) Personnel. The recruitment and retention of highly-qualified cybersecurity professionals is extremely competitive, so we need to be sure that the government can recruit and retain these talented individuals. Our legislative proposal will give DHS more flexibility in hiring these individuals. It will also permit the government and private industry to temporarily exchange experts, so that both can learn from each others' expertise.

3) Intrusion Prevention Systems. Intrusion detection systems are automated sensors that identify cyber intrusions and attacks. Intrusion prevention systems can actually block cyber intrusions and attacks. DHS' Einstein system is one example of an intrusion prevention system, and the proposal makes permanent DHS's authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers. Internet Service Providers (ISPs) implement these systems on behalf of DHS, blocking attacks against government computers. The Attorney General currently reviews and provides immunity for those ISPs, as necessary, to provide that service, and the proposal streamlines that process. This only applies to intrusion prevention systems that protect government computers, and the proposal also codifies or adds: strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process.

4) Data Centers. The Federal Government has embraced cloud computing, where computer services and applications are run remotely over the Internet. Cloud computing can reduce costs, increase security, and help the government take advantage of the latest private-sector innovations. This new industry should not be crippled by protectionist measures, so the proposal prevents states from requiring companies to build their data centers in that state, except where expressly authorized by federal law.

New Framework to Protect Individuals' Privacy and Civil Liberties.

The Administration's proposal ensures the protection of individuals' privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity.

-- It requires DHS to implement its cybersecurity program in accordance with privacy and civil liberties procedures. These must be developed in consultation with privacy and civil liberties experts and approved by the Attorney General.

-- All federal agencies who would obtain information under this proposal will follow privacy and civil liberties procedures, again developed in consultation with privacy and civil liberties experts and with the approval of the Attorney General.

-- All monitoring, collection, use, retention, and sharing of information are limited to protecting against cybersecurity threats. Information may be used or disclosed for criminal law enforcement, but the Attorney General must first review and approve each such usage.

-- When a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.

-- The proposal also mandates the development of layered oversight programs and congressional reporting.

-- Immunity for the private-sector business, state, or local government is conditioned on its compliance with the requirements of the proposal.

Taken together, these requirements create a new framework of privacy and civil liberties protection designed expressly to address the challenges of cybersecurity.

The White House is about to announce it Cyber Security plan. Which, in essence, allows the Government to regulate private businesses. Not only will this be an enormous cost to the private sector, but it will be completely useless. Although, I can see a bunch of consulting firms really lucking out on this one. (Remember SOX anyone? GLBA? HIPPA?). The only people benefiting from this are owners of consulting firms. Let's review the Government's track record on security from the last few years:

Tuesday, May 10, 2011

Microsoft just released its May 2011 security update: Two bulletins covering three vulnerabilities. Here's the early analysis from security companies Qualys, Symantec and McAfee:

Qualys"MS11-035 is rated as critical and affects the WINS component of Windows 2003 and 2008 server operating systems. WINS (like DNS) is a name resolution service. WINS resolves names in the NetBIOS namespace (like DNS which resolves names in the DNS domain). WINS is not enabled by default in Windows 2003 and 2008, but server administrators who have it enabled should apply the patch immediately as attackers could remotely cause a denial of service. The exploitability index is 2 which imply that remote code execution is not likely, but denial of service is possible.

"MS11-036 affects Microsoft Office Power Point and is rated important. As it happened before on several occasions, users of the new Office 2010 for both Windows and Mac OS X are not affected by the vulnerability. Older versions like Office XP, 2003, 2007 and 2004 for Mac are affected. Using this vulnerability, an attacker could take full control of the target machine if a victim opens a malicious power point document.

"The two patches released today came with a new and improved exploitability index rating that was announced by Microsoft. The original rating is split into a rating for the most recent version of the software, and an aggregate rating for all older versions. For example in MS11-036 the latest version, which is Office 2010, was not affected. Therefore the exploitability rating for the latest version was 'Not Affected' and for older platforms was 2. The new rating more accurately reflects risk to customers that keep their environments updated with latest product releases.

"Today's release provided a breather for administrators so they can brace themselves for a larger update next month."

Symantec"What might make the WINS vulnerability appealing to attackers is that it is a server-side issue," said Joshua Talbot, security intelligence manager, Symantec Security Response. "That means an attacker wouldn't have to trick a user into doing anything. All they would have to do to exploit this is find a server running the vulnerable service and send that machine a malicious string of data.

"This is a more serious issue on Windows Server 2003 than Server 2008," Talbot added. "At its heart, this is a memory corruption issue. In-built protections such as DEP and ASLR in Server 2008 will probably keep most attackers from achieving a complete takeover. However, a complete system compromise appears to be more likely on Server 2003, which lacks the ASLR protection.

"Microsoft also patched a couple WINS-related issues in August of 2009," Talbot concluded. "At least one of those vulnerabilities was exploited by attackers after the patches were released. That should serve as motivation for IT managers to take this month's patches seriously, even though there is a lighter load."

McAfee"These patches address a fix a vulnerability that could potentially allow attackers to remotely execute arbitrary code on systems," said Dave Marcus, director of security research and communications at McAfee Labs. "Even though it's a light Patch Tuesday this month, administrators should still attend to these patches quickly.

"Microsoft also announced that it will be modifying its Exploitability Index, a patch rating system aids in prioritization, by assigning a number based on the likelihood of an attack as a result of vulnerabilities in the first 30 days. Also included will be the "Denial of Service" risk score, which will take into account the risk posed by a denial-of-service (DoS) attacks.

"This updated rating system will make it easier for IT administrators to determine their risk level, so customers should be sure to look at the new Exploitability Index in the bulletin summary to get a feel for the 'exploit potential' of each vulnerability," said Marcus.

"With massive updates such as we had in April it's easy to get overwhelmed. Microsoft's new index simplifies the process, which will help IT administrators to prioritize which patches they tackle first."